[08/13] drm/irq: Check for valid VBLANK before dereference

Message ID	1418748815-15434-8-git-send-email-thierry.reding@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> From: Thierry Reding <thierry.reding@gmail.com> To: dri-devel@lists.freedesktop.org Subject: [PATCH 08/13] drm/irq: Check for valid VBLANK before dereference Date: Tue, 16 Dec 2014 17:53:30 +0100 Message-Id: <1418748815-15434-8-git-send-email-thierry.reding@gmail.com> In-Reply-To: <1418748815-15434-1-git-send-email-thierry.reding@gmail.com> References: <1418748815-15434-1-git-send-email-thierry.reding@gmail.com> Cc: linux-samsung-soc@vger.kernel.org, Daniel Vetter <daniel.vetter@ffwll.ch>, Benjamin Gaignard <benjamin.gaignard@linaro.org>, Mark Yao <mark.yao@rock-chips.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

1418748815-15434-8-git-send-email-thierry.reding@gmail.com (mailing list archive)

State

New, archived

Headers

From: Thierry Reding <thierry.reding@gmail.com>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH 08/13] drm/irq: Check for valid VBLANK before dereference
Date: Tue, 16 Dec 2014 17:53:30 +0100
Message-Id: <1418748815-15434-8-git-send-email-thierry.reding@gmail.com>
In-Reply-To: <1418748815-15434-1-git-send-email-thierry.reding@gmail.com>
References: <1418748815-15434-1-git-send-email-thierry.reding@gmail.com>
Cc: linux-samsung-soc@vger.kernel.org, Daniel Vetter <daniel.vetter@ffwll.ch>,
	Benjamin Gaignard <benjamin.gaignard@linaro.org>,
	Mark Yao <mark.yao@rock-chips.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Commit Message

Thierry Reding Dec. 16, 2014, 4:53 p.m. UTC

From: Thierry Reding <treding@nvidia.com>

When accessing the array of per-CRTC VBLANK structures we must always
check that the index into the array is valid before dereferencing to
avoid crashing.

Signed-off-by: Thierry Reding <treding@nvidia.com>
---
 drivers/gpu/drm/drm_irq.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Michel Dänzer Dec. 17, 2014, 3:11 a.m. UTC | #1

On 17.12.2014 01:53, Thierry Reding wrote:
> From: Thierry Reding <treding@nvidia.com>
> 
> When accessing the array of per-CRTC VBLANK structures we must always
> check that the index into the array is valid before dereferencing to
> avoid crashing.
> 
> Signed-off-by: Thierry Reding <treding@nvidia.com>
> ---
>  drivers/gpu/drm/drm_irq.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
> index a24658162284..cb207e047505 100644
> --- a/drivers/gpu/drm/drm_irq.c
> +++ b/drivers/gpu/drm/drm_irq.c
> @@ -1070,10 +1070,10 @@ void drm_vblank_put(struct drm_device *dev, int crtc)
>  {
>  	struct drm_vblank_crtc *vblank = &dev->vblank[crtc];
>  
> -	if (WARN_ON(atomic_read(&vblank->refcount) == 0))
> +	if (WARN_ON(crtc >= dev->num_crtcs))
>  		return;
>  
> -	if (WARN_ON(crtc >= dev->num_crtcs))
> +	if (WARN_ON(atomic_read(&vblank->refcount) == 0))
>  		return;
>  
>  	/* Last user schedules interrupt disable */
> @@ -1356,6 +1356,9 @@ void drm_vblank_post_modeset(struct drm_device *dev, int crtc)
>  	if (!dev->num_crtcs)
>  		return;
>  
> +	if (WARN_ON(crtc >= dev->num_crtcs))
> +		return;
> +
>  	if (vblank->inmodeset) {
>  		spin_lock_irqsave(&dev->vbl_lock, irqflags);
>  		dev->vblank_disable_allowed = true;
> 

It would probably be better to use WARN_ON_ONCE, otherwise any bugs
triggering these might flood dmesg.

diff --git a/drivers/gpu/drm/drm_irq.c b/drivers/gpu/drm/drm_irq.c
index a24658162284..cb207e047505 100644
--- a/drivers/gpu/drm/drm_irq.c
+++ b/drivers/gpu/drm/drm_irq.c
@@ -1070,10 +1070,10 @@  void drm_vblank_put(struct drm_device *dev, int crtc)
 {
 	struct drm_vblank_crtc *vblank = &dev->vblank[crtc];
 
-	if (WARN_ON(atomic_read(&vblank->refcount) == 0))
+	if (WARN_ON(crtc >= dev->num_crtcs))
 		return;
 
-	if (WARN_ON(crtc >= dev->num_crtcs))
+	if (WARN_ON(atomic_read(&vblank->refcount) == 0))
 		return;
 
 	/* Last user schedules interrupt disable */
@@ -1356,6 +1356,9 @@  void drm_vblank_post_modeset(struct drm_device *dev, int crtc)
 	if (!dev->num_crtcs)
 		return;
 
+	if (WARN_ON(crtc >= dev->num_crtcs))
+		return;
+
 	if (vblank->inmodeset) {
 		spin_lock_irqsave(&dev->vbl_lock, irqflags);
 		dev->vblank_disable_allowed = true;

[08/13] drm/irq: Check for valid VBLANK before dereference

Commit Message

Comments

Patch